Content Security Policy and iframes
Hi all,
One of our users wants to embed a JATOS study into a page from another application via an iframe.
From reading the documentation, it suggests setting the X-Frame-Options header to null. Unfortunately, this is a bit more permissive than I'd like, as I'd rather only allow a specific set of sites to embed JATOS.
From reading the source code, the CSP headers are set in application.conf, which is imported into jatos.conf, with the various elements from application.conf being manipulatable within it, so it looks like I can do this:
# Do not remove this line (it contains the default configuration)
include "application.conf"
# Add my override here
play.filters.csp.directives {
frame-ancestors = "'self' permitteddomain1.com permitted2domain.com"
}
# HTTP address and port
I've given this a very cursory test, and it appears to work (the header contains the expected content).
Is this a sane approach? Or have I missed something in the documentation? Obviously modifying the configuration file is going to make upgrades more difficult (but there are ways to automate that)
Thanks 😀
Comments
Hi!
I'm not an expert in CSP directives but I think you got a better approach to allowing iframes than JATOS' documentation has so far. I found this page that explains why it is the better choice.
So, yes I agree with you, it is a sane approach. And we should update the JATOS docs ;)
Best,
Kristian
Hi Kristian,
Great - thanks for confirming I hadn't missed something in the docs. 😀
On a related note, running our JATOS instance through Security Headers gave it a reasonably good score (A) - it was just showing as missing X-Content-Type-Options and Permissions-Policy. I'm guessing it's probably safe to set X-Content-Type-Options:
play.filters.headers.contentTypeOptions = "nosniff"I think there's probably more chance of breaking an existing study with Permissions Policy.
I don't know if it's worth your time looking at it whilst you're there?
We had to allow content type sniffing for some study assets to work. Can't remember exactly what it was. But some asset files just wouldn't work with 'nosniff'.
Ah, that makes sense. Thanks :)
Hi!
I had some time to actually try the
play.filters.csp.directivesin the wild and unfortunately found that it doesn't work with JATOS. Actuallyplay.filters.csp.directivesare disabled for certain "publix" endpoints (the ones with 'publix' in the URL path). These are:Those endpoints are basically the ones that start a study / component or show the end page.
The reason for this, as I remember now, is that people want to have the freedom in their experiment's JavaScript to load stuff from a different servers than JATOS, e.g. videos from YouTube, JavaScript from CDNs, images from some external source etc. So I turned off CSP directives for all endpoints delivering HTML pages for experiments.
There is a way to change CSP directives dynamically in the framework JATOS is using, so that JATOS could respond with different CSP directives on different endpoints. But this would mean some effort on my side and take time that I currently just do not have. Especially since there is this other method with `play.filters.headers.frameOptions = null` that works (although does not allow you to specify the allowed domain - just allows all domains).
Best,
Kristian
Hi Kristian,
Thanks for letting me know - I'll add a note in our internal documentation.
P.S. Apologies for the late reply - apparently I had not done a good job of setting my notification settings...